A network protected by a static (and even dynamic) WEP key can ''very easily'' be compromised by a nefarious user. WPA corrects the problem of the static key, by changing the key at a packet transmitted/received frequency, or once a certain amount of time has passed. This process is performed by a daemon which is tightly bound to your wireless hardware.

−

Inferior drivers (in particular those used through ndiswrapper) can provide much frustration when used in conjunction with [http://hostap.epitest.fi/wpa_supplicant/ wpa_supplicant]. Therefore, if at all possible, use hardware with proper support and high quality drivers.

+

[http://hostap.epitest.fi/wpa_supplicant/ wpa_supplicant] is a cross-platform [https://en.wikipedia.org/wiki/Supplicant_(computer) WPA Supplicant] with support for WPA and WPA2 ([https://en.wikipedia.org/wiki/IEEE_802.11i IEEE 802.11i] / RSN (Robust Secure Network)). It is suitable for both desktop/laptop computers and embedded systems. {{ic|wpa_supplicant}} is the IEEE 802.1X/WPA component that is used in the client stations. It implements key negotiation with a WPA Authenticator and it controls the roaming and IEEE 802.11 authentication/association of the wlan driver.

+

+

==Installation==

+

Install {{Pkg|wpa_supplicant}} from the [[official repositories]].

−

==Considerations==

+

Optionally {{Pkg|wpa_supplicant_gui}} can be installed which provides {{ic|wpa_gui}}; a graphical frontend for {{ic|wpa_supplicant}} using the {{pkg|qt4}} toolkit.

−

This article assumes that you are familiar with your hardware, and are capable of finding your way around configuration files and configuring your system. It is critical that you have '''read and understood''' the [[Wireless Setup]] article because it is the basis for all that we are going to explain here.

−

This document is not a prerequisite if your hardware works out of the box and is handled through a network connection daemon like [[NetworkManager]] or the like. If you prefer to connect to the network using a graphical tool, you should not be reading this.

+

==Configuration==

+

{{pkg|wpa_supplicant}} provides a reference configuration file located at {{ic|/etc/wpa_supplicant/wpa_supplicant.conf}} which contains detailed documentation

+

for the all available options and their utilisation.

−

In this article, the '''passphrase''' will refer to the string of [[wikipedia:ASCII|ASCII]] characters provided by the network administrator. It will typically be enclosed in quotes when used. The '''psk''' is the hexadecimal form of the passphrase and will not be enclosed in quotes.

+

In it's simplest form all the configuration file requires is a network block, for example:

−

+

{{hc|/etc/wpa_supplicant/foobar.conf|2=

−

==Installation==

+

network={

−

WPA supplicant can be [[Pacman|installed]] with the package {{Pkg|wpa_supplicant}}, available in the [[official repositories]].

+

ssid="..."

−

+

}

−

This package has been built with support for a very broad range of wireless hardware. For your information, here is the list, which can be obtained by executing '{{ic|wpa_supplicant}}':

−

# wpa_supplicant

−

...

−

−

Driver list:

−

−

*HostAP

−

*Prism54

−

*NDISWrapper

−

*AMTEL

−

*IPW (both 2100 and 2200 drivers)

−

*WEXT (Generic Linux wireless extensions)

−

*Wired ethernet

−

−

Most wireless hardware is supported by default by ''wpa_supplicant''. Even if your chipset manufacturer is not listed (which is the most probable case), you can still make use of the Generic Wireless Extensions (WEXT) to connect to a WPA-secured network. Most (~75%) hardware is supported by WEXT, whereas ~20% is compatible by recompiling ''wpa_supplicant'' and/or hardware drivers from scratch, and, unfortunately, the missing 5% which is definitely incompatible. The WPA Supplicant PKGBUILD is available under: {{ic|/var/abs/core/wpa_supplicant}}, with the [[ABS]] tree installed.

−

−

===Optional: Install the GUI version===

−

−

Users who prefer a graphical interface can install the {{Pkg|wpa_supplicant_gui}} package, a GUI developed by the same team, from the official repositories.

−

−

==Configuring and connecting==

−

WPA Supplicant is packaged with a sample configuration file: {{ic|/etc/wpa_supplicant/wpa_supplicant.conf}}. It is well commented and provides many details about network mechanics. All the variables used in this article are described in this file. It also features a lot of configuration samples. It is highly recommended to read it, as well as the manpages {{ic|man wpa_supplicant}} and {{ic|man wpa_supplicant.conf}}.

−

−

A WPA_Supplicant configuration file contains all configuration settings for {{Ic|wpa_supplicant}}. You can create as many as you want and put them anywhere you want, since you must specify which config file to use on each {{ic|wpa_supplicant}} call. Its content is quite simple:

−

* The first part is the global config. It is a series of ''key-value'' lines.

−

* The second part is composed of ''network blocks'', one for each "profile" you want to set.

−

−

For the purpose of simplifying, we will leave the sample config file where it is and work on a brand new file {{ic|/etc/wpa_supplicant.conf}}.

−

−

There are several ways to manage wpa_supplicant configuration. You can choose among one of the following methods.

−

−

===Manual===

−

−

====Configuration file====

−

−

First you must retrieve all parameters needed to connect to your access point.

−

# iw wlan0 scan

−

More details [[Wireless Setup#Access point discovery|here]].

−

−

So now you should know the following parameters for wpa_supplicant:

−

* ssid

−

* proto (optional on unencrypted networks)

−

* key_mgmt

−

* pairwise

−

* group

−

Additionally, you may need authentication parameters (EAP, PEAP, etc.) if you are on such a network, as it is often the case in universities for example.

−

−

'''First touch'''

−

−

Now you can create a network block in the config file:

−

{{hc|wpa_supplicant.conf|<nowiki>

−

network={

−

ssid="mywireless_ssid"

−

psk="secretpassphrase"

−

# Additional parameters (proto, key_mgmt, etc.)

−

}</nowiki>

}}

}}

−

This is the basic configuration required to get WPA working. The first line is the opening statement for the network block, the second is the SSID of the base station you are wanting to connect to, the third line is the passphrase.

+

This can easily be generated using the {{ic|wpa_passphrase}} tool. For example:

−

+

$ wpa_passphrase foobarssid foobarspassword

−

{{Warning|Do not forget the double quotes around the SSID and the PSK.}}

−

−

'''Passphrase to PSK'''

−

−

On the network-level, the passphrase is never directly used, it is only a convenient way to handle the key for humans.

−

−

You may provide the hex version directly by utilizing the {{Ic|wpa_passphrase}} utility, which is part of the {{Pkg|wpa_supplicant}} package.

−

−

*For example:

−

{{hc| # wpa_passphrase "mywireless_ssid" "secretpassphrase"|<nowiki>

network={

network={

−

ssid="mywireless_ssid"

+

ssid="foobarssid"

−

#psk="secretpassphrase"

+

#psk="foobarspassword"

−

psk=7b271c9a7c8a6ac07d12403a1f0792d7d92b5957ff8dfd56481ced43ec6a6515

+

psk=f5d1c49e15e679bebe385c37648d4141bc5c9297796a8a185d7bc5ac62f954e3

}

}

−

</nowiki>}}

−

−

{{Tip| If you're having trouble using this function with certain special characters under your shell, use a temporary text file for the passphrase. You can then direct input so that it is not interpreted by the shell: {{ic| <nowiki># cat passphrase_noquotes.txt | wpa_passphrase "ssid" </nowiki>}} }}

−

−

Note the third line (commented out) is the passphrase, and the fourth line is the PSK. Either is valid to connect, but the PSK is more portable in config files.

The {{Ic|>>}} will ''append'' the output to {{ic|/etc/wpa_supplicant.conf}}.

−

You can add as many network blocks as you want. wpa_supplicant will know which one to use based upon the detected SSIDs in the area.

−

−

'''Network block options'''

−

−

All of the security parameters need to be specified here. Note that if you are unsure about which value your access point requires, you can use several of them, wpa_supplicant will automatically use the one that works. For example, you can add

−

proto=WEP WPA

−

so that if your access point uses WEP or WPA, it will work in both case. But if it uses RSN (aka WPA2) it will not find it by itself, you have to append it to the other values.

−

−

If the SSID is hidden, add the following option to the block:

−

scan_ssid=1

−

If you need to connect to several networks, just define another network block in the same file.

−

You can specify a priority for each network block:

−

priority=17

−

Change the priority at will, recalling that priorities with big numbers are tried first.

−

−

There are a large number of options which are available to set under the network which you can investigate by looking at the original configuration file. In most cases you can use the defaults, and not specify anything further in that section at the moment.

−

−

'''Global options'''

−

−

Lastly, you will need to specify some global options.

−

Specify these additional lines at the top of {{ic|/etc/wpa_supplicant.conf}}, with your editor of choice. The following is mandatory.

−

ctrl_interface=DIR=/run/wpa_supplicant GROUP=wheel

−

−

{{Note|1=For use with {{Pkg|netcfg}}>=2.6.1-1, this should be {{ic|/run/wpa_supplicant}} (note: ''not'' {{ic|/var/run/wpa_supplicant}}). This will, however, break the default for {{Ic|wpa_cli}} (use the {{Ic|-p}} option to override). If this is not changed, one gets errors like "Failed to connect to wpa_supplicant - wpa_ctrl_open: no such file or directory".}}

−

−

There is a lot of optional parameters (have a look at {{ic|/etc/wpa_supplicant/wpa_supplicant.conf}}). For example:

−

ap_scan=0

−

fast_reauth=1

−

−

{{Note|Your network information will be stored in plain text format; therefore, it may be desirable to change permissions on the newly created {{ic|/etc/wpa_supplicant.conf}} file (e.g. {{Ic|chmod 0600 /etc/wpa_supplicant.conf}} to make it readable by root only), depending upon how security conscious you are.}}

−

−

'''Complete example'''

−

{{hc|wpa_supplicant.conf|<nowiki>

−

ctrl_interface=DIR=/run/wpa_supplicant GROUP=wheel

−

fast_reauth = 1

−

ap_scan = 1

−

−

network ={

−

ssid = "mySSID"

−

proto = RSN

−

key_mgmt = WPA-EAP

−

pairwise = TKIP CCMP

−

auth_alg = OPEN

−

group = TKIP

−

eap = PEAP

−

identity = "myUsername"

−

password = "********"

−

}</nowiki>

−

}}

−

−

More sophisticated configurations, like EAPOL or RADIUS authentication are very well detailed in the {{ic|wpa_supplicant.conf}} man page ({{ic|man wpa_supplicant.conf}}). Do not forget to have a look at {{ic|/etc/wpa_supplicant/wpa_supplicant.conf}}. These configurations fall out of the scope of this document.

−

−

==== Connection ====

−

−

Now you can try connecting manually.

−

−

First, bring the Wi-Fi interface up. For the purposes of this example, we will use the interface ''wlan0''.

−

# ip link set wlan0 up

−

−

Typically, you will be able to use the '''W'''ireless '''EXT'''ensions driver for wpa_supplicant; if you cannot, then you might need to check how to do it with your specific wireless device on the Internet.

−

−

Issue the following as root:

−

# wpa_supplicant -B -D nl80211 -i wlan0 -c /etc/wpa_supplicant.conf

−

−

The previous syntax tells wpa_supplicant to associate with the SSID which is specified in {{ic|/etc/wpa_supplicant.conf}}. Also, this association should be performed through the ''wlan0'' wireless interface, and the process should move to the background, ({{Ic|-B}}). For verbose output, add {{Ic|-d}} or {{Ic|-dd}} (for debug) to dump more information to the console. You can find additional examples [http://www.examplenow.com/wpa_supplicant here].

−

−

In the console output, there should be a line that reads ''''Associated:'''' followed by a MAC address. All that is required now is an IP address.

−

−

{{Note|If you don't want or need to touch {{ic|/etc/wpa_supplicant.conf}} (e.g., when installing Arch), you can pipe {{ic|wpa_passphrase}} to {{ic|wpa_supplicant}}:

{{Note|*Do not* request an IP address immediately! You must wait to ensure that you are properly associated with the access point. If you use a script, you can use {{Ic|sleep 10s}} to wait for 10 seconds.}}

−

−

Verify the interface has received an IP address using the {{Ic|iproute}} package:

There are two frontends to wpa_supplicant actually written by the wpa_supplicant developers themselves, "wpa_cli", and "wpa_gui". wpa_cli is, as you might expect, a command line front end, while "wpa_gui" is a Qt-based frontend to wpa_supplicant. wpa_cli is included with the {{Ic|wpa_supplicant}} package, whereas {{Ic|wpa_supplicant_gui}} is its own package.

−

−

−

wpa_gui or wpa_cli require a very minimal {{ic|/etc/wpa_supplicant.conf}}. A simple example:

−

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=network

−

update_config=1

−

−

This configuration will allow users in the {{Ic|network}} group to control {{Ic|wpa_supplicant}} via the wpa_gui/wpa_cli frontends. The {{Ic|update_config<nowiki>=</nowiki>1}} variable allows these programs {wpa_cli, wpa_gui} to automatically modify the {{ic|/etc/wpa_supplicant.conf}} file, to save new networks, or to make modifications to existing networks.

−

−

Start wpa_supplicant:

−

# wpa_supplicant -Dwext -i wlan0 -c /etc/wpa_supplicant.conf -B

−

−

where the {{Ic|-D}} option specifies your wireless driver (which is almost always {{Ic|wext}}), {{Ic|-i}} specifies the interface (replace {{Ic|wlan0}} with your wireless interface's name) and {{Ic|-c}} specifies the configuration file to use (normally {{ic|/etc/wpa_supplicant.conf}}). {{Ic|-B}} instructs wpa_supplicant to run as a daemon. You will have to run wpa_supplicant as root (or with root permissions using [[sudo]]), but any user in the {{Ic|network}} group can run wpa_gui or wpa_cli.

−

−

wpa_gui or wpa_cli should now be operable.

−

−

{{Ic|wpa_cli}}, when invoked without options, will give you a prompt environment, try typing {{Ic|help}} for help.

−

−

wpa_gui is quite straightforward. If you hit "scan", you will be presented with a list of detected SSIDs, you can double click to add one, you will be given a dialogue box that will let you enter information that you need to associate with your network. Most likely, you will only have to enter your pre-shared key (PSK) if you use WPA/WPA2 or your {{Ic|key0}} for a WEP connection. The protocol for WPA/WPA2/WEP/Unencrypted should be automatically detected. Things like 802.1X will require a bit more configuration.

−

−

{{Warning|WEP is ''seriously'' broken and should ''never'' be used outside of a laboratory/testing environment. Use ''at least'' WPA (WPA2 is recommended) for a more secure wireless network.}}

−

After you add a network, you can modify it if you do something like changing the PSK. Switch to the 'Manage Networks' tab and select the network you want to Edit / Remove. You can also add a network without scanning, which you will need to do if you do not broadcast your SSID.

+

Now both {{ic|wpa_supplicant}} and {{ic|wpa_passphrase}} can be combined to associate with almost all WPA2 (Personal) networks:

All that remains is to simply connect using a [[Network Configuration#Static_IP_Address|static IP]] or [[Network Configuration#Dynamic_IP_Address|DHCP]]. For example:

+

# dhcpcd -A [interface]

−

{{Note|Configuring your wireless network to not broadcast its SSID does '''not''' increase the security of your wireless network. It is a trivial exercise to identify hidden SSIDs.}}

+

===Maintaining a custom configuration===

+

{{Note|Be advised that the recommended method for connection is using [[Netctl]] and is certainly better in the long term.}}

+

As discussed above we can make use of {{ic|wpa_passphrase}} to generate a basic configuration which we can augment with additional networks and options of our choosing. This may be necessary for more advanced networks employing extensive use of [https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol EAP].

−

{{Note|wpa_cli and wpa_gui will not get you an IP address or set up a proper routing table. They will ''only'' associate you with a wireless access point. }}

+

Firstly we will use {{ic|wpa_passphrase}} to create our basic configuration file.

Next add a {{ic|ctrl_interface}} so that we may control the {{ic|wpa_supplicant}} daemon. We can allow {{ic|wpa_cli}} to edit this configuration by setting {{ic|1=update_config=1}}. We will also allow {{ic|wpa_supplicant}} to initiate AP (Access Point) scanning and selection with {{ic|1=ap_scan=1}}.

+

{{hc|/etc/wpa_supplicant/foobar.conf|

+

ctrl_interface&#61;DIR&#61;/run/wpa_supplicant GROUP&#61;wheel # allow control for members in the 'wheel' group

We probably already have a dhcpcd service for eth0, but we need to add one, specifically, for the wireless device:

−

−

Enable the systemd target:

−

# systemctl enable dhcpcd@wlan0.service

−

−

Start the service:

−

# systemctl start dhcpcd@wlan0.service

−

−

Check the status of the service:

−

# systemctl status dhcpcd@wlan0.service

−

−

After "Active:" it should report "active (running)"

−

−

The next reboot should bring up the wireless adapter, associate it with the network, and obtain an IP address. Verify this by:

−

# ip a

−

−

==== Using boot script ====

−

{{Out of date|Should change to systemd service.}}

−

To automatically start {{Ic|wpa_supplicant}} & {{Ic|wpa_cli}} at boot, add the following lines to {{ic|/etc/rc.local}}:

−

wpa_supplicant -B -D wext -i wlan0 -c /etc/wpa_supplicant.conf

−

wpa_cli -B -a /path/to/your/wpa_cli-action.sh

−

−

==== Using wpa auto ====

−

The {{AUR|wpa_auto}} scripts from the [[AUR]] can be used to start {{Ic|wpa_supplicant}} at boot and automatically run a DHCP client to configure your network connection after you associate to a wireless network, or you could write your own scripts to do so. Higher level wireless/network management utilities are also available that are capable of managing both wireless and wired connections.

On the next reboot, the wireless interface will be brought up and wpa_supplicant started. If a known network is available, a connection will be established. For more information on netcfg see [[Network Profiles]].

−

−

==== Wicd ====

−

Install {{Pkg|wicd}} from the official repositories.

−

−

Wicd is very straightforward; scan for networks, fill in the required data and connect. You might need to add {{ic|/usr/lib/wicd/autoconnect.py}} to init and power management scripts for reconnecting to networks if auto-connection behavior is expected.

−

−

==Troubleshooting==

−

−

{{Accuracy}}

−

−

Most of the issues are related to the association process; therefore, you should have a deep look at wpa_supplicant's output when you suspect it is misbehaving. Add {{Ic|-d}} (for debug) to increase the verbosity. Usually {{Ic|-dd}} is enough. {{Ic|-dddd}} might be overkill.

−

−

When you are inspecting the log, have a look at entries like this one:

−

ioctl[''WHATEVER'']: Operation not supported

−

−

If this is the case, you are experiencing a driver issue. Upgrade your WLAN drivers, or change the {{Ic|-D}} parameter for wpa_supplicant.

−

−

Another common problem is ''No suitable AP found'' messages. wpa_supplicant seems to have trouble finding hidden ESSIDs. Usually, setting {{Ic|scan_ssid<nowiki>=</nowiki>1}} in your {{Ic|network}} block will take care of this.

−

−

===Fallback: Recompiling wpa_supplicant===

−

Grab a copy of wpa_supplicant's source code from the homepage or from the [[ABS]]. Once downloaded and extracted, have a look at the file '{{ic|.config}}' (yes, it is hidden). The file looks like a kernel configuration file, only much smaller. Have a look at the sections named {{Ic|CONFIG_DRIVER_''DRIVERNAME''}} and choose yes or no, depending upon your driver. Be careful with the options chosen, because you will need to specify an additional path to your wireless drivers' source code in order to correctly compile the low-level association component. Some weird Atheros-based cards may need a fresh wpa_supplicant build compiled against the latest {{Ic|madwifi-svn}} release available. If this is the case, here is an example to help you through the compilation process:

−

−

'''madwifi example''': edit the following lines in the configuration file to look like this. This assumes that you have built madwifi with the ABS and that the source code from the build is stored in {{ic|/var/abs/local/madwifi/src/}}.

−

#Driver interface for madwifi driver

−

CONFIG_DRIVER_MADWIFI=y

−

#Change include directories to match with the local settings

−

CFLAGS += -I/var/abs/local/madwifi/src/madwifi

−

−

Once configured, you can proceed with makepkg as usual.

−

−

=== Unable to use wpa_gui for configuring new networks ===

−

By default the {{Ic|ap_scan}} variable is set to {{Ic|0}}, which means that wpa_supplicant lets the wireless LAN driver perform AP scanning. If your driver does not support scanning, wpa_supplicant will quit when prompted to scan for wireless networks.

−

In this case, add:

−

ap_scan=1

−

to your {{ic|/etc/wpa_supplicant.conf}}

−

=== No IP Address from the DHCP Server ===

+

To start your network simply run the following:

−

If you can not get an IP address from the DHCP server when runing {{ic|dhcpcd wlan0}}, use the following command to stop wpa_supplicant and try again:

Revision as of 19:21, 13 May 2013

wpa_supplicant is a cross-platform WPA Supplicant with support for WPA and WPA2 (IEEE 802.11i / RSN (Robust Secure Network)). It is suitable for both desktop/laptop computers and embedded systems. wpa_supplicant is the IEEE 802.1X/WPA component that is used in the client stations. It implements key negotiation with a WPA Authenticator and it controls the roaming and IEEE 802.11 authentication/association of the wlan driver.

All that remains is to simply connect using a static IP or DHCP. For example:

# dhcpcd -A [interface]

Maintaining a custom configuration

Note: Be advised that the recommended method for connection is using Netctl and is certainly better in the long term.

As discussed above we can make use of wpa_passphrase to generate a basic configuration which we can augment with additional networks and options of our choosing. This may be necessary for more advanced networks employing extensive use of EAP.

Firstly we will use wpa_passphrase to create our basic configuration file.

Next add a ctrl_interface so that we may control the wpa_supplicant daemon. We can allow wpa_cli to edit this configuration by setting update_config=1. We will also allow wpa_supplicant to initiate AP (Access Point) scanning and selection with ap_scan=1.

/etc/wpa_supplicant/foobar.conf

ctrl_interface=DIR=/run/wpa_supplicant GROUP=wheel # allow control for members in the 'wheel' group
update_config=1
ap_scan=1
network{=
ssid="foobarssid"
psk=f5d1c49e15e679bebe385c37648d4141bc5c9297796a8a185d7bc5ac62f954e3
}